The 22 year old Cebuano who graduated in Informatics Computer Institute(Cebu) is now a hall of famer as listed and acknowledge on several high profile websites like Facebook, Google, Apple, eBay, and Twitter for responsible disclosures.
Last July, he was given by Facebook a total of $4,500 as reward of a privacy bug he found exposing Facebook user primary email addresses. Another $1000 was also rewarded after reporting a “logical bug” in Facebook’s pages.
Well, too much for that. Here is the text-based interview by pinoyhacknews with Roy Castillo (Forgot to have this when we met at RootCon 7).
* Who is Roy Castillo, share things other people might not know about you.
Hello, I am Roy Castillo from Danao City, Cebu. I’m interested in web application security I also like to share my knowledge with others via my blogs and facebook.
* What are you into before diving in Information Security / Bug Bounty?
I’m an ordinary web developer
* How did you get interested in information security?
I was curious to learn how to prevent website from being hacked. So, I started learning about web application vulnerabilities and how to patch those vulnerabilities.
* Your greatest achievement for now (created programs, bug hunting reward)?
As bug hunter my greatest achievement was I found critical vulnerability in high profile sites i.e. SQLi, LFI, RFI, oAuth bypass, Open Redirect, XSS etc.. Usually, I find 0-days and keep it private for testing purposes.
* Any future plan? Will you stay a freelance web security researcher?
It’s really hard to decide whether I should pursue a career in web application security or just continue web development. Development + Security maybe.
* Are you using tools in researching? What are those?
Yes, Firefox extension ei. Hackbar, HTTP Headers, Tamper Data, Firebug
I love to break sites manually than automatically, Second, scanners can’t be better than human mind and hands 😉
* Quick throwback, what exactly happened last 2011 “Off to Danao” where it got attention of international media?
I don’t discuss technical details here on how I exploit the bug but I will tell you the flaw lies in the “/connect/prompt_feed.php” and “/widgets/livefeed.php” which allowed me to post status which resulted being posted in the news feed of many Facebook users. In the end, Facebook just decided to get rid of it entirely.
* what would Roy C. say about those who are new and want to learn the tricks of the trade?
Just learn, read blogs, do some research.
* Anung pakiramdam niya na ngayon ay nabansagan siyang “Pinoy Bug Bounty Hunter?”
Well, same as before normal lang, actually, I didn’t report security bugs for fame, I report report security bugs for knowledge, experience and bounty.
* What it takes to be white hat?
Just be ethical, if you found security vulnerability just report responsible dislosure to them, if they don’t reply dosen’t means we start defacing them. They don’t patch, because they never knew how to patch, move on… Defacement / intrusion doesn’t help either.
* What inspires him?
For me the Hackers (1995) was a real inspiration due to that I got really interested in hacking that inspired me to go into computers when I was 11
Advice for starting bug hunters:
Focus in your target, think creative, use your imagination don’t spend your time on attacks like reflected XSS etc. try to find something special.
Patience is highly recommended if you are a beginner. Once you jump in, you will get used to it.
Be humble wherever you are. It helps
Final words for the readers:
I would like to tell our readers to always follow their interest. If you want to learn something, Internet is the best place.
/. end interview